Wednesday, August 17, 2011

Linux password policy

Linux password lockout policy can be configured using PAM "Pluggable
Authentication Modules" to lock a user’s account temporarily if they
attempt to bruteforce into an account by trying various password
combinations. This configuration uses the pam_tally2.so module.
Bruteforce hacking is a method to find a user’s password by trying to
login with various password combinations. By having a password lockout
policy such users can be locked out of their account if a certain number
of incorrect passwords are entered. While trying this tutorial in your
system make sure you have the file /lib/security/pam_tally2.so if it
isn’t there trying this out will lock all user accounts even if you
enter the correct password.
Using a text editor open the following file/etc/pam.d/system-auth
add the following text to the second line.auth required pam_tall2.so deny=3 unlock_time=3600
The above statement will lock an user account if incorrect passwords are entered three or more times as specified in the deny option. The account will be unlocked after 3600 seconds as specified in the unlock_time
option. Choose the number of incorrect attempts and unlock time wisely.
There is also another option which will enforce this policy for the
root user.auth required pam_tall2.so deny=3 unlock_time=3600 even_deny_root
The
even_deny_root will lockout the root user also. So use this option with
caution. After this is done add another line in the account section in
the same fileaccount required pam_tally2.so
Save
the /etc/pam.d/system-auth file, before testing your configuration open
another terminal and try to login as any user with a CORRECT password,
if you’re unable to login at this stage there is something wrong with
the /etc/pam.d/system-auth file. If you’re able to login successfully
try by logging in using the correct username and wrong password. Each
time you try execute the following command as root to find the number of
authentication failure attempts.pam_tally2
orpam_tally2 -u username
to see information regarding a specific user (Replace username with the actual user).
If
you enter the incorrect password for certain number of times the
following message will appear as soon as the username is enteredAccount locked due to 4 failed login attempts
To manually unlock the account before the unlock_time use the following commandpam_tally2 -u username -r
A
more conservative usage of the above command is to deduct the number of
times the user has logged in unsuccessfully. For example, if the
password retries is 3 and user Alice has tried logging in with an
incorrect password 4 times, using the above command to unlock the
account will give another 3 tries for the username Alice which might
give more attempts for a potential hacker. Instead the incorrect
attempts counter value can be set to 2 so that Alice has just one more
attempt.pam_tally2 -u username --reset=2
will set the incorrect password counter for the user to 2.
In
case the root user is locked out and you immediately need to login as
root, boot your system into single user mode and execute the following
command.pam_tally2 -u root -r